CVE-2021-25178

Vulnerability

A stack-based buffer overflow vulnerability exists in Open Design Alliance Drawings SDK versions before 2021.11. The flaw occurs during the recover operation when processing malformed .DXF and .DWG files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer, leading to a buffer overflow [1][3]. Affected products include Siemens JT2Go, which uses the SDK [2][3][4].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted malicious DXF or DWG file (e.g., via a web page or email attachment). No authentication is required, but user interaction is necessary. The attacker does not need any special network position beyond delivering the file to the victim. The specific flaw exists within the parsing of DXF and DWG files as part of the recover operation [1][3][4].

Impact

Successful exploitation can result in a crash, exit, or restart of the application, causing a denial of service. In worst-case scenarios, the vulnerability may allow arbitrary code execution in the context of the current process, potentially leading to full system compromise [1][3][4].

Mitigation

Open Design Alliance has addressed this vulnerability in Drawings SDK version 2021.11 and later [1]. Users of affected products, such as Siemens JT2Go, should apply the vendor-supplied update. No workaround is disclosed in the available references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last reference date [2][3][4].